WebUI Patch Policy Schedule Limitation

lthao 2021-09-23 23:38:05 UTC #1

Our organization’s maintenance window is typically on the 3rd Thursday on the month which gives us a week to test patches after Microsoft releases them on the 2nd Tuesday of the month. But this month, my team and I notice that our patch policies was being deployed a week earlier than our anticipated maintenance window. After some investigating, I noticed that this month (Sept 2021) has 5 Thursdays in the month which offset our reoccurring schedule in our Patch Policies. It resulted with my team having to go back into each of their patch policies and adjusting their schedule to patch on the 4th Thursday of the month to accommodate this offset. Then next month they’re have to go back in and revert the schedule back to the 3rd Thursday to meet our maintenance window. Looking at the calendar year for 2021 and 2022, there’s 4 month our of the year where this offset repeats. In the spirit of automation and setting and forgetting, this is a limitation to Patch Policy scheduling.

Is there currently a feature in the WebUI to accommodate for these odd months?

If not, can BigFix implement a more flexible scheduling option for Patch Policy in the WebUI?

I’ve worked with SAP BOE where you can create objects called Scheduling Calendars and set specific dates for the entire year and next to run a report. You can create and save multiple of these Scheduling Calendars and have your reports reference them as their schedule to run. Is it possible to develop something similar to this?

Example from SAP BOE Scheduling Calendar wizard:

JasonWalker 2021-09-24 02:16:56 UTC #2

If you want the whole schedule to be based off of Patch Tuesday, set the schedule to run “16 days after the first Tuesday of the month”. That will always be the Thursday of the week after Patch Tuesday.

JasonWalker 2021-09-24 02:20:45 UTC #3

To the other question, yes you can set complex logic for Maintenance Windows, just not for the Patch Policy Schedule.

Use the console’s “Manage Maintenance Windows” Dashboard to set the windows however you like,.and set the Patch Policy checkbox for “Run in maintenance window”.

Be sure to check the instructions in the Maintenance Window Wizard, you have to manually create a Global Property for “In Maintenance Window”. This is a one-time effort you can do by copying the relevance from the Maintenance Window Analysis.

eboth225 2021-10-20 14:03:28 UTC #4

Jason, I am trying to use the WebUI and maintenance windows and need to clarify something. My test results are that when I create an action manually and use “In Maintenance Window matches True” then it will succeed. But when the WebUI creates the action it uses “In Maintenance Window = True” and this never returns true for me.

I checked my properties and I have both of these activated globally:

I’m pretty positive I did not create the one in the Master Action site, but regardless it is there so shouldn’t that be satisfying the suggestion you have about manually creating it? I verified both properties are returning true.

Thanks,

[edit]
Also this confirms what you suggested, but it does not seem to be working for me.
https://help.hcltechsw.com/bigfix/10.0/webui/WebUI/Users_Guide/t_create_patch_policy.html?hl=maintenance

JasonWalker 2021-10-20 14:57:50 UTC #5

It’s been a while since I visited this topic… @jgstew or @dexdexdex may be able to advise…
I can say for sure that it’s the “Global” property for “In Maintenance Window” that is used when we define a constraint.
@jgstew, @dexdexdex, any comment on the difference between “Matches True” and “= True” when used in an action constraint?

eboth225 2021-10-25 13:16:00 UTC #6

I got around this by creating an automatic group that targets the computers I want and checks maintenance window status at the same time. So now my patch policy only targets that group and no longer uses the “in maintenance window” checkbox.

LouC 2022-04-26 18:12:03 UTC #7

I’m experiencing the exact same issue. The “In Maintenance Window” Global property and the copy i created both are = True yet the action still says The constraint “In Maintenance Window = True” is not met. Is this a bug? Or did i miss a step?

JasonWalker 2022-04-26 18:32:43 UTC #8

…do you now have two Global Properties named “In Maintenance Windows”? I could envision that causing some issues.

If you view the property result in the Computer view, is it reporting “True”?

itsmpro92 2022-04-26 18:59:22 UTC #9

Only master operators can create Global Properties. Is the new property in the Master Action Site?

LouC 2022-04-26 19:01:21 UTC #10

Yes, I now have 2 properties named “In Maintenance Window”. I created a custom copy of the original like described here: https://help.hcltechsw.com/bigfix/10.0/webui/WebUI/Users_Guide/t_create_patch_policy.html#task_z3h_p3s_d4b__ul_mzj_p4l_f4b

Yes, if i view the property of the original and the custom copy in the computer view they both are reporting true.

Yes, i created it in the Master Action Site.

JasonWalker 2022-04-26 22:35:01 UTC #11

Can you export the action in the Console and post the XML here? I’m honestly not sure how the API would behave with two copies of the property in the Master Action Site.
You should probably remove one of them.

LouC 2022-04-27 00:17:01 UTC #12

The original “In Maintenance Window” data property is in the BES Support Site and cannot be deleted. The custom copy I created is in the master action site. If i delete it then i can no longer use this capability with Patch Policies (I can no longer check the box “Run within the Maintenance Window”)

LouC 2022-04-28 17:58:44 UTC #13

Looks like this is a bug: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097704